Service account permissions - Metasys - LIT-12011279 - General System Information - Metasys System - 13.0

Network and IT Guidance Technical Bulletin

Brand
Metasys
Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
13.0
Revision date
2023-09-29
Product status
Active
Language
English

The Metasys system requires that the service account in Active Directory service allow a minimal set of permissions. This section lists these permissions, but does not dictate how they should be applied; the customer's IT department determines this at the time of creation. The required permissions include the following:

  • Read access to the domain object of each domain that contains Active Directory service users who are Metasys system users.

  • Read access to each organizational unit that contains Active Directory service users who are also Metasys system users.

  • Read access to the attributes of each User Object in Active Directory service that relates to Metasys system users or read access to only the following individual attributes on those user objects (if full read access is not allowed):

    • ObjectSID
    • samAccountName
    • displayName
    • Description
    • mail
    • userPrincipalName
    • telephoneNumber
    • UserAccountControl
    • CanonicalName

In addition, a non-expiring Service Account password is required. See Service account rules. Also, the Service Account must be able to access all domains with Metasys system users to perform LDAP queries. For example, accounts cannot be denied access to the domain controller in the domain security policy.